Earlier this week, Saratoga-based security company Codenomicon found what just might be the mother of all security flaws: a bug in a nearly ubiquitous encryption scheme that they're calling "Heartbleed" that allowed hackers to potentially slurp up every username and password on any number of popular websites without anyone being the wiser. In a test, researchers were able to get 200 usernames and passwords for Yahoo mail after about five minutes of running the exploit, calling the effort "trivial" thanks to this hack.

Now for the worst part: This security hole has been open for two years.

So now that you're appropriately freaked out, the next logical question is, what is being done? Fortunately, a patch already exists that closes the hole, and it's currently being rolled out by sysadmins across the web right now. So in a sense, the problem is already being fixed, but that will come as cold comfort to the many people who have probably already been compromised without realizing. Here's what you can do:

Step 1: Change your password. Yeah, this is the advice that gets trotted out whenever there's a security breach, but that's because it's the one thing you need to do. Yeah, it sucks, but seriously, change your password. Although it's impossible to know if you were targeted by this hack, given that it's a security hole that's been open for so long, the safest thing is to assume that you have been compromised. The rub here is that this is an ongoing problem for many websites, meaning that if you change your password before it's fixed on the server side, you're not really safe. Here's a tool you can use to check if the fix has been implemented yet on websites you use. If that tool says the website is unaffected, go ahead and change your password. If it says it's vulnerable, you should probably still change your password because it's currently unsafe, but lob a complaint at the webmaster so they can fix it. Once it's fixed, go ahead and change your password again

Step 2: Don't use dumb passwords. While you're changing your password, make sure you use something suitably secure. Think of this as an opportunity to retire "password" "letmein" and "12345" from your stable of passwords. Passwords should be as long as possible (the No. 1 most important thing in password strength) and contain letters, numbers, capitals, etc. Consider using a passphrase instead of a password. A good way to do this is to take four random words and put them together, then think of a story or a picture involving those words to help you remember.

Step 3: Don't use the same password on different websites. It goes without saying. Don't do this. If someone hacks the password to your Instagram account, then they have access to your Instagram account and all the selfies it contains. If you use the same password for your work mail, your personal email and your bank account, well, things just got a lot worse for you.

Step 4: Consider a password services like Keepass or LastPass. A password manager like Keepass or LastPass makes Step 3 that much easier to do. Essentially, it generates a strong, random password for every different site you visit and lets you log in using a single password that you use to unlock the password manager service you use. Some people worry that you create a security risk when you do this (the password manager becomes a single point of failure for your passwords), but I say the benefits outweigh the drawbacks — i.e. having strong passwords on multiple sites in a way you can actually remember, and thus use. Plus, the people who are running these services tend to be a more security conscious group than most. LastPass, for example, was affected by this security hole, but hackers couldn't get at its password trove due to additional security measures it had implemented.

Step 5: Turn on two-factor identification, if available. The best password strategy, however, is not to protect yourself with passwords. Or at least, not just with passwords. Two-factor identification is a feature that is increasingly being offered by website operators that offers you an additional layer of security, essentially texting you to verify that you're actually the person logging in whenever you attempt to log into a website. It adds an extra step, which is a hassle. But because it means a hacker would have to not only steal your password but your cell phone as well to get into your account, it goes a long way to securing your identity online. If a website you use offers it, consider turning it on, particularly for really sensitive sites like your bank.